Cryptographic Right Answers

By Wolfgang Keller
Originally written 2019-07-03
Last modified 2019-08-29

Table of contents

Links

Results (ordered as in the texts)

Encrypting Data

You care about this if: you’re hiding information from users or the network.

Percival, 2009 Ptacek, 2015 Latacora, 2018
Do:TODOTODOTODO
Avoid:TODOTODOTODO

Symmetric key length

You care about this if: you’re using cryptography.

Percival, 2009 Ptacek, 2015 Latacora, 2018
Do:256 bit
If you can get away with it:128 bit--
Avoid:-
  • constructions with huge keys
  • cipher “cascades”
  • key sizes < 128 bit

Symmetric signatures

You care about this if: you’re securing an API, encrypting session cookies, or are encrypting user data but, against medical advice, not using an AEAD construction.

Percival, 2009 Ptacek, 2015 Latacora, 2018
Do:HMAC
Avoid:
  • custom constructions
  • custom “keyed hash” constructions
  • HMAC-MD5
  • HMAC-SHA1
  • complex polynomial MACs
  • encrypted hashes
  • CRC

Hashing/HMAC algorithm

You care about this if: you always care about this.

Percival, 2009 Ptacek, 2015 Latacora, 2018
Do:
  • SHA-256 (SHA-2)
  • SHA-512 (SHA-2) [mentioned implictly]
SHA-2
If you can get away with it:-SHA-512/256
Future prospect:Plan update to SHA-3 within next 5-10 years--
Avoid:
  • SHA-1 [mentioned implcitly]
  • MD5 [mentioned implcitly]
  • SHA-1
  • MD5
  • MD6

Random IDs

You care about this if: you always care about this.

Percival, 2009 Ptacek, 2015 Latacora, 2018
Do:TODOTODOTODO
Avoid:TODOTODOTODO

Password handling

You care about this if: you accept passwords from users or, anywhere in your system, have human-intelligible secret keys.

Percival, 2009 Ptacek, 2015 Latacora, 2018
Do:
  1. scrypt
     
     
  2. PBKDF2
erase the plaintext password from memory.
  1. scrypt
     
  2. bcrypt
  3. PBKDF2
  1. scrypt
  2. Argon2
  3. bcrypt
  4. PBKDF2
Avoid:
  • store users' passwords
  • MD5
  • don't use password hashes at all
  • SHA-2
  • SHA-1
  • MD5
  • not using a real secure password hash
  • build elaborate password-hash-agility scheme
  • SHA-3
  • SHA-2
  • SHA-1
  • MD5

Links:

Asymmetric encryption

You care about this if: you need to encrypt the same kind of message to many different people, some of them strangers, and they need to be able to accept the message asynchronously, like it was store-and-forward email, and then decrypt it offline. It’s a pretty narrow use case.

Percival, 2009 Ptacek, 2015 Latacora, 2018
Do:RSAES-OAEP with
  • hash function: SHA-256
  • mask generation function: MGF1+SHA256
  • public exponent: 65537 = 216 + 1
NaClNacl/libsodium (box / crypto_box)
If you can get away with it:-RSA-OAEP if you have to use RSA-
Avoid:
  • PKCS #1 v1.5
  • PKCS #1 v1.5
  • RSA
  • ElGamal
  • Merkle-Hellman knapsacks
Systems designed after 2015 that use
  • PKCS #1 v1.5
  • RSA
  • ElGamal
  • Merkle-Hellman knapsacks

Asymmetric signatures

You care about this if: you’re designing a new cryptocurrency. Or, a system to sign Ruby Gems or Vagrant images, or a DRM scheme, where the authenticity of a series of files arriving at random times needs to be checked offline against the same secret key. Or, you’re designing an encrypted message transport.

Percival, 2009 Ptacek, 2015 Latacora, 2018
Do:RSASSA-PSS with
  • hash function: SHA-256
  • mask generation function: MGF1+SHA256
  • public exponent: 65537 = 216 + 1
TODOTODO
Avoid:TODOTODOTODO

Diffie-Hellman

You care about this if: you’re designing an encrypted transport or messaging system that will be used someday by a stranger, and so static AES keys won’t work.

Percival, 2009 Ptacek, 2015 Latacora, 2018
Do:TODOTODOTODO
Avoid:TODOTODOTODO

Website security

You care about this if: you have a website.

Percival, 2009 Ptacek, 2015 Latacora, 2018
Do:TODOTODOTODO
Avoid:TODOTODOTODO

Client-server application security

You care about this if: the previous recommendations about public-key crypto were relevant to you.

Percival, 2009 Ptacek, 2015 Latacora, 2018
Do:TODOTODOTODO
Avoid:TODOTODOTODO

Online backups

You care about this if: you bother backing things up.

Percival, 2009 Ptacek, 2015 Latacora, 2018
Do: Tarsnap

Results (ordered by agreement)

TODO